Data Orthogonalization for Cryptography

Part one gave a short introduction of bitslicing as a concept, talked about
its use cases, truth tables, software multiplexers, LUTs, and manual optimization. The second covered Karnaugh mapping,
a visual method to simplify Boolean algebra expressions that takes advantage of
humans’ pattern- …
» READ MORE «

Data Orthogonalization for Cryptography

Bitslicing, in cryptography, is the technique of converting arbitrary
functions into logic circuits, thereby enabling fast, constant-time
implementations of cryptographic algorithms immune to cache and
timing-related side channel attacks. My last post Bitslicing, An Introduction
showed how to …
» READ MORE «

Data Orthogonalization for Cryptography

Bitslicing (in software) is an implementation strategy enabling fast,
constant-time implementations of cryptographic algorithms immune to cache and
timing-related side channel attacks. This post intends to give a brief overview of the general technique, not requiring
much of a cryptographic …
» READ MORE «

Exploring formal verification (part 3)

Previously I introduced some very basic Cryptol and SAWScript, and explained how to reason about the correctness of constant-time integer multiplication written in C/C++. In this post I will touch on using formal verification as part of the code review process, in particular show how, by using the …
» READ MORE «

Forward secure PSK key agreement in TLS 1.3

A while ago I wrote about the state of server-side session resumption implementations in popular web servers using OpenSSL. Neither Apache, nor Nginx or HAproxy purged stale entries from the session cache or rotated session tickets automatically, potentially harming forward secrecy of resumed TLS …
» READ MORE «

Exploring formal verification (part 2)

In the previous post I showed how to prove equivalence of two different implementations of the same algorithm. This post will cover writing an algorithm specification in Cryptol to prove the correctness of a constant-time C/C++ implementation. Apart from rather simple Cryptol I’m also going …
» READ MORE «

Exploring formal verification (part 1)

This is the first of a small series of posts that will scratch the surface of the world of formal verification. I will mainly use SAW, the Software Analysis Workbench, and Cryptol, a DSL for specifying crypto algorithms. Both are powerful tools for verifying C, C++, and even Rust code, i.e. almost …
» READ MORE «

The High Assurance Crypto Software workshop

Real World Crypto is probably one of my favorite conferences. It’s a fine mix of practical and theoretical talks, plus a bunch of great hallway, lunch, and dinner conversations. It was broadcasted live for the first time this year, and the talks are available online. But I’m not going …
» READ MORE «

Working around bugs in legacy TLS stacks

A few weeks ago I listened to Hanno Böck talk about
TLS version intolerance
at the Berlin AppSec & Crypto Meetup. He
explained how with TLS 1.3 just around the corner there again are growing
concerns about faulty TLS stacks found in HTTP servers, load balancers,
routers, firewalls, and similar …
» READ MORE «

Automating builds and tests with Mozilla’s Taskcluster framework

The following image shows our TreeHerder dashboard
after pushing a changeset to the NSS repository.
It is the result of only a few weeks of work (on our side): Based on my experience from building a Taskcluster
CI for NSS over the last weeks, I want to share a rough outline of the process
of …
» READ MORE «

Signature algorithms and schemes in TLS 1.0 - 1.3

This post will take a look at the evolution of signature algorithms and schemes
in the TLS protocol since version 1.0. I at first started taking notes for
myself but then decided to polish and publish them, hoping that others will
benefit as well. (Let’s ignore client authentication for …
» READ MORE «

My work on Mozilla’s Security Engineering team

It’s been a little more than six months since I officially switched to the
Security Engineering team here at Mozilla to work on
NSS and
related code. I thought this might be a good time to share what I’ve been up
to in a short status update: Removed SSLv2 code from NSS NSS contained …
» READ MORE «

ChaCha20/Poly1305 cipher suites in Firefox 47

The only TLS v1.2+ cipher suites with a dedicated AEAD scheme are the ones using
AES-GCM, a block cipher
mode that turns AES into an authenticated cipher.
From a cryptographic point of view these are preferable to non-AEAD-based cipher
suites (e.g. the ones with AES-CBC) because getting …
» READ MORE «

Packaging the Signal Private Messenger and NW.js into a standalone app

The Signal Private Messenger is great. Use it. It’s probably the best secure
messenger on the market. When recently a desktop app was announced people were
eager to join the beta and even happier when an invite finally showed up in
their inbox. So was I, it’s a great app and works …
» READ MORE «

Improved Handshakes in TLS version 1.3

Please note that this post is about draft-11 of the TLS v1.3 standard. TLS must be fast. Adoption will greatly benefit
from speeding up the initial handshake that authenticates and secures the
connection. You want to get the protocol out of the way and start delivering
data to visitors as soon as …
» READ MORE «

PBKDF2 and the WebCrypto API in the wild

My esteemed colleague Frederik Braun recently
took on to rewrite the module responsible for storing and checking passcodes
that unlock Firefox OS phones. While we are still working on actually landing
it in Gaia I
wanted to seize the chance to talk about this great use case of the
WebCrypto API
in …
» READ MORE «

The sad state of server-side TLS Session Resumption implementations

After you finished reading this one, please also read the
follow-up post
that covers session resumption changes in TLS 1.3. The probably oldest complaint about TLS is that its handshake is slow and
together with the transport encryption has a lot of CPU overhead. This
certainly is not true anymore …
» READ MORE «

Tinkering with the WebCrypto API

You have probably read that
Facebook unveiled its hidden service
that lets users access their website more safely via Tor. While there are lots
of opinions about whether this is good or bad I think that
the Tor project described best why that is not as crazy as it seems. The most interesting part …
» READ MORE «

The what, why, and how of RFC 7469

In my last post
“Deploying TLS the hard way”
I explained how TLS and its extensions (as well as a few HTTP extensions) work
and what to watch out for when enabling TLS for your server. One of the HTTP
extensions mentioned is
HTTP Public-Key-Pinning (HPKP).
As a short reminder, the …
» READ MORE «

Configuring HTTPS for your domain(s)

How does TLS work?
The certificate
(Perfect) Forward Secrecy
Choosing the right cipher suites
HTTP Strict Transport Security
HSTS Preload List
OCSP Stapling
HTTP Public Key Pinning
Known attacks Last weekend I finally deployed TLS for timtaubert.de and decided to write up
what I learned on the way …
» READ MORE «

A virtual build environment for Firefox

Note: This post might be outdated as it has been turned into an MDN page.
Please refer to the MDN page for the latest information about the Firefox
Developer VM. It will also tell you the correct checksum to compare to after
downloading. https://developer.mozilla.org/docs/Mozilla/Developer_guide/ …
» READ MORE «

I got to spend Wednesday through Friday in Edinburgh last week to attend
Scotland.JS. Edinburgh is a lovely city and I will
definitely return to get to know it better. It has great people, beers, food and
even a castle - what could one want more? I arrived on Wednesday, just in time for the …
» READ MORE «

Experiments with ES6 generators

JavaScript comes with most of the little functional tools you need to work on
finite sequences that are usually implemented using Arrays. Array.prototype
includes a number of methods like map() and filter() that apply a given
function to all items of the Array and return the resulting new Array. [1 …
» READ MORE «

Implementing ES6 generators and iterators

You have probably already heard of
generators and iterators
coming to a browser near you. They have been available in Firefox for a long
time and are used extensively all over the Mozilla code base. The V8 team
will implement iterators and generators
once ES6 has been finalized. This post describes …
» READ MORE «

Simple motion detection in a live video

Now that you should already know how to build a
live green screen
and an
EyeToy-like mini-game
using nothing but plain JavaScript and a modern browser supporting WebRTC, let
us move on to another interesting example: simple motion detection in a live
video. The initialization code To detect motion …
» READ MORE «

Building an EyeToy-like mini-game

This post is a follow-up to my previous one about
building a live green screen with getUserMedia() and MediaStreams.
If you have not read it yet, this might be a good time. We will extend the small
example to build an EyeToy-like mini-game. Some additions var video, width, height, context;
var …
» READ MORE «

Building a live green screen

While recently watching a talk about the new WebRTC features I was reminded of
Paul Rouget’s great
green screen demo
and thought that this would be a cool thing to have for live video as well.
Let us build a live green screen! The markup <body> <video id="v" width="320 …
» READ MORE «

As you probably already know, Firefox 13 introduced a neat new feature - the
new tab page.
We replaced the old blank page with a list of thumbnails of recently visited
sites. While the feature itself works great for many people it has definitely
made opening new tabs a little more noisy. Do not …
» READ MORE «

A histogram of Firefox download sizes

Lately, Asa Dotzler posted to dev.apps.firefox regarding the download size of Firefox: This evening I noticed that my full win32 mar update for Firefox was 21MB. That caused me to look at what our full win32 installer size was. I was a bit surprised to see it’s up to 17MB. When we shipped Firefox 1 …
» READ MORE «

You may already know the story of how I became a Firefox contributor. Back in early April of 2011, having volunteered full-time for three months (a rather short time compared to other core contributors), I was given the opportunity to start as a paid contributor working for Mozilla. Over the year I …
» READ MORE «

In my post Leak hunting in browser-chrome mochitests I wrote about the measures we were considering to prevent regressing efforts to get rid of leaks in Firefox. Now that bug 683953 has landed we finally have a way to detect the leakage of whole DocShells and DOMWindows for the lifetime of the …
» READ MORE «

Over the last weeks we worked hard on getting the New Tab Page into Firefox. It’s not quite ready yet but we need your help testing it. We enabled it by default on Nightly and decided to give it a week on Aurora to get feedback from those users as well. Nightly: http://nightly.mozilla.org/
Aurora: …
» READ MORE «

December 2009. I’ve been a freelancer for quite some time now and decided to dedicate some weeks to something that always fascinated me: contributing to a big open source project. I started some smaller open source projects in the past (like Video4Linux.Net and ViGedit+) and contributed every so …
» READ MORE «

Some weeks (even months) ago Dão Gottwald started the hunt for leaked DOMWindows and DocShells while running our browser-chrome mochitest suite (see bug 658738). That means that there are some expensive objects whose lifetimes are longer than they should be – they are kept alive until the test …
» READ MORE «

Writing code for multi-process Firefox

You probably have all heard of this weird new thing called Electrolysis (a.k.a. e10s). Basically it’s all about running the browser UI and its tabs in separated processes. I recently rewrote a part of Panorama to be e10s-future-proof and thought I should share what I’ve learned so far… (If you don’ …
» READ MORE «

Starting with tomorrow’s Nightly hidden tabs are not anymore restored by default when starting Firefox. That means tabs from inactive Panorama groups will not load until these groups/tabs are shown. Finally we have a part of the behavior everyone actually expects when using Panorama. If you have …
» READ MORE «

A Firefox Add-on

As you probably know, in Firefox there is unfortunately no way to configure existing shortcuts. All I found is the keyconfig add-on, that seems really old and very hard to configure (there is no UI, only about:config). That’s why I finally decided to write an add-on with a neat UI (not only) for …
» READ MORE «